CVE-2021-32793
Last modified
CVE-2021-32793 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. EPSS estimates a 0.79% chance of exploitation in the next 30 days.
Description
Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the function to add domains to blocklists or allowlists is vulnerable to a stored cross-site-scripting vulnerability. User input added as a wildcard domain to a blocklist or allowlist is unfiltered in the web interface. Since the payload is stored permanently as a wildcard domain, this is a persistent XSS vulnerability. A remote attacker can therefore attack administrative user accounts through client-side attacks. Pi-hole Web Interface version 5.5.1 contains a patch for this vulnerability.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Pi-Hole | Pi-Hole | < 5.5.1 |
References
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1Release Notes, Third Party Advisory
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-g3w6-q4fg-p8x8Exploit, Third Party Advisory
- https://github.com/pi-hole/AdminLTE/releases/tag/v5.5.1Release Notes, Third Party Advisory
- https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-g3w6-q4fg-p8x8Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-32793?
How severe is CVE-2021-32793?
How do I fix CVE-2021-32793?
Are you affected by CVE-2021-32793?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST